Basics of pdadmin: How to manage WebSEAL junctions

Managing WebSEAL junctions with ‘pdadmin’ command tool is not an easy task. This post will provide a short reference to the most common operations.

First, you need to know the name of the WebSEAL instance you want to manage. Note that it differs from the object path!

pdadmin sec_master> server list
pdadmin sec_master>

From here, you can obtain the list of all defined junctions on this instance:

pdadmin sec_master> server task list
pdadmin sec_master>

Now we’ll create our own new junction. For example, we want to expose internal server “” under the junction named “myjunction”:

pdadmin sec_master> server task create -t tcp -h -p 8080 /myjunction
Created junction at /myjunction
pdadmin sec_master>

Let’s check the result. Note the highlighted lines – those are directly affected by the parameters we supplied during the junction creation.

pdadmin sec_master> server task show /myjunction
    Junction point: /myjunction
    Type: TCP
    Junction hard limit: 0 - using global value
    Junction soft limit: 0 - using global value
    Active worker threads: 0
    Basic authentication mode: filter
    Forms based SSO: disabled
    TFIM junction SSO: no
    Authentication HTTP header: do not insert
    Remote Address HTTP header: do not insert
    Stateful junction: no
    Boolean Rule Header: no
    Scripting support: no
    Preserve cookie names: no
    Cookie names include path: no
    Transparent Path junction: no
    Delegation support: no
    Mutually authenticated: no
    Insert WebSphere LTPA cookies: no
    Insert WebSEAL session cookies: no
    Request Encoding: UTF-8, URI Encoded
    Server 1:
        ID: 67abf5a2-a0e3-11e2-8638-005056b03849
        Server State: not running
        Operational State: Online
        Port: 8080
        Virtual hostname:
        Server DN:
        local IP address:
        Query_contents URL: /cgi-bin/query_contents
        Query-contents: unknown
        Case insensitive URLs: no
        Allow Windows-style URLs: yes
        Current requests : 0
        Total requests : 1
pdadmin sec_master>

There are additional configuration values to supply during junction creation. Here are some useful ones:

  • “-s” marks junction as stateful, providing support of session stickiness for the backend servers
  • “-c <header1,header2,…>” provides end user authentication data to the junction in HTTP headers:
    • “iv-user” – plain username
    • “iv-user-l” – DN of the end user
    • “iv-user-groups” – list of groups the end user belongs to
  • “-r” will send client IP address to the junction in dedicated HTTP header
  • “-x” creates so-called “transparent path” junction, when the actual application resides on “/myjunction” path on the backend server

Note that those values apply to all backend servers under the junction and you cannot modify most of them – you have to recreate a junction for that!

If you want to add another backend server to this junction (say, “”), it goes much simpler:

pdadmin sec_master< server task add -h -p 8080 /myjunction
Added server at /myjunction
pdadmin sec_master>

In order to remove a backend server, you’ll need the server ID. You can obtain one by listing the junction definition (see above).

pdadmin sec_master> server task remove -i 67abf5a2-a0e3-11e2-8638-005056b03849 /myjunction
Removed server 67abf5a2-a0e3-11e2-8638-005056b03849 from /myjunction.
pdadmin sec_master>

Deleting the whole junction is also an easy task:

pdadmin sec_master> server task delete /myjunction
Deleted junction from /myjunction
pdadmin sec_master>

2 thoughts on “Basics of pdadmin: How to manage WebSEAL junctions

Leave a Reply